I see that the secLevel parameter of generateParamsList controls the number of items of the SignatureProofList.expProof therefore affects the proving time and the size of the proof. Are secLevels less than 80 safe to use? What's the trade off for proofs created with secLevel that are less than 80?

Do provers need to generate a SystemParametersList every time they're proving something? If not, is SystemParametersList like a snark verification key, i.e. generated only once for each circuit?

When using writeJson(SignatureProofList, attestation.proof) on a browser environment, I get the error TypeError: Cannot call a class constructor without |new| index. For context, I'm using zkp-ecdsa in the following application within nextjs and after compiling it for "production", the code no longer works showing that error. During "development" (i.e. next dev) the code shows no issue so this is likely a JavaScript error after an improper transpiling from TypeScript.

Reading throught the example it seems that I need to have access to the list of publickeys so that I can generate a proof of the signature.

So here is my thinking

1. Generate KeyPair
2. Submit public key to an endpoint that adds it to the list
3. generate Signature and submit to an endpoint that generates the proof
4. give the proof to the requester
5. requester submits proof to an endpoint that validates the proof.

This now adds some complexity, as I need to keep the list of Public Keys in memory / data store and reference that list each time. So I would need a mechanism that would scale. Or am i wrong in that thinking and there is a short cut to keeping the generated proofs valid whilst not maintaining the list.

Please close if there is a better forum for this.

Regards
Nicholas

Hello sir, i'm trying to understand how to use this library to prove that i staked 32 ETH on lido ? Can you add some code examples ?

In readme's step 1, the usage code says "sign the hash of the msg" but based on test/zkpAttestList.test.ts it should be "sign the msg".

// Sign a message as usual.
const msgHash = new Uint8Array(await crypto.subtle.digest('SHA-256', msg));
const signature = new Uint8Array(
    await crypto.subtle.sign(
        { name: 'ECDSA', hash: 'SHA-256' },
        keyPair.privateKey, msgHash, // <---- should be `msg`
    )
);

Once the zkAttestProof object has been created, it would be great to export or serialize it to be able to use it in separate mediums. However, the class object is fairly complex, and de/reconstructing seems like a bit of a challenge.

Are there any interest in adding this feature? For the current use case that seems to be used, it could be used as "backup" proof in case the generated key has been lost.

Hi,

It seems to me that there is a mismatch between the implementation of the function proveExp() in exp/exp.ts and the corresponding protocol from the ZKAttest paper (Proof of Scalar Multiplication, Section 5).

The difference is that in proveExp() the challenge variable challenge is the same for all instances, while in the protocol from the paper the challenge string c = (c0, c1) is different for every instance.

I do not know yet the security issues that it might raise (I have to read the protocol more carefully), but practically it means that inside the for loop (line 168, exp.ts), we will constantly evaluate the same branch for all i < secparam.

Suggestion: create a challenge for all instances i:

    ...
    // Compute challenge c = H (Cx, Cy, A, Tx, Ty)
    const challenges = new Array<bigint>(secparam)
    for (let i = 0; i < secparam; i++) {
        challenges[i as number] = await hashPoints('SHA-256',  [Px.p, Py.p, A[i as number], Tx[i as number].p,  Ty[i as number].p])
    }
    const allProofs = new Array<ExpProof>(secparam)
    let proof: ExpProof
    for (let i = 0; i < secparam; i++) {
        if (isOdd(challenges[i as number])) {
            ...

If this sounds right to you I can make a pull request with this change.